Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple XSS Vulnerabilities #596

Closed
Hbkhan opened this issue Jun 18, 2020 · 5 comments
Closed

Multiple XSS Vulnerabilities #596

Hbkhan opened this issue Jun 18, 2020 · 5 comments
Labels
security For bugs/exploits involving security.

Comments

@Hbkhan
Copy link

Hbkhan commented Jun 18, 2020

There are multiple XSS vulnerabilities (support ticket, forum topics, and guest inquiries mentioned in #526 ). In this issue, I would demonstrate the Stored XSS that exists in a support ticket!

Method to reproduce :

1- Go to support and click on create a ticket

image

3- In the message field enter <script>alert('test');</script>

image

4- Click on Submit

image

xss2

💻 Technical Description *

if we look in src/bb-modules/Support/html_client file we do find the following javascript code which is responsible for making the API request. The javascript serialize the input fields and send a post request to example.com/index.php?_url=/api/client/support/ticket_create

<script type="text/javascript">
$(function() {
    $('#ticket-submit').bind('submit',function(event){
        $('.wait').show();
        bb.post(
            'client/support/ticket_create',
            $(this).serialize(),
            function(result) {
                bb.redirect('{{ 'support/ticket'|link }}' + '/' + result);
            }
        );
        return false;
    });

The request is received by ticket_create function in /src/bb-modules/Support/Api/Client.php. The only check in this function exists is for the required parameters.

public function ticket_create($data)
    {
        $required = array(
            'content'             => 'Ticket content required',
            'subject'             => 'Ticket subject required',
            'support_helpdesk_id' => 'Ticket support_helpdesk_id required',
        );
        $this->di['validator']->checkRequiredParamsForArray($required, $data);

        $helpdesk = $this->di['db']->getExistingModelById('SupportHelpdesk', $data['support_helpdesk_id'], 'Helpdesk invalid');

        $client = $this->getIdentity();

        return $this->getService()->ticketCreateForClient($client, $helpdesk, $data);
    }

Once it verifies that the provided data contains the required parameters, it combine the request with client identity and helpdesk id and sends its request to ticketCreateForClient function in src/bb-modules/support/service.php

...
...
        $ticket                      = $this->di['db']->dispense('SupportTicket');
        $ticket->client_id           = $client->id;
        $ticket->subject             = $data['subject'];
        $ticket->support_helpdesk_id = $helpdesk->id;
        $ticket->created_at          = date('Y-m-d H:i:s');
        $ticket->updated_at          = date('Y-m-d H:i:s');

        // related task with ticket
        $ticket->rel_id        = $rel_id;
        $ticket->rel_type      = $rel_type;
        $ticket->rel_task      = $rel_task;
        $ticket->rel_new_value = $rel_new_value;
        $ticket->rel_status    = $rel_status;

        $ticketId = $this->di['db']->store($ticket);

        $this->messageCreateForTicket($ticket, $client, $data['content']);

...
    }

It stores the subject and other ticket info in support_ticket table in database and sends the content to messageCreateForTicket function.

    public function messageCreateForTicket(\Model_SupportTicket $ticket, $identity, $content)
    {
        $msg                    = $this->di['db']->dispense('SupportTicketMessage');
        $msg->support_ticket_id = $ticket->id;
        if ($identity instanceof \Model_Admin) {
            $msg->admin_id = $identity->id;
        } elseif ($identity instanceof \Model_Client) {
            $msg->client_id = $identity->id;
        } else {
            throw new \Box_Exception('Identity is not valid');
        }
        $msg->content    = $content;
        $msg->ip         = $this->di['request']->getClientAddress();
        $msg->created_at = date('Y-m-d H:i:s');
        $msg->updated_at = date('Y-m-d H:i:s');

        return $this->di['db']->store($msg);
    }

The function basically stores the content value (which is the ticket body) in support_ticket_message table in the database!

image

which makes it stored cross-site scripting

Reposting this from my original account
OLD Post Issue#526

@Hbkhan Hbkhan changed the title XSS Vulnerability in Support Multiple XSS Vulnerabilities Jun 22, 2020
@Hbkhan
Copy link
Author

Hbkhan commented Jun 25, 2020

@fordnox Can you request CVE for this through the Github advisory? Here's how

@huntr-helper
Copy link
Contributor

Bug Bounty

We have opened up a bounty for this issue on our bug bounty platform. Want to solve this vulnerability and get rewarded 💰? Go to https://huntr.dev/

We will submit a pull request directly to your repository with the fix as soon as possible. Want to learn more? Go to https://github.com/418sec/huntr 📚

Automatically generated by @huntr-helper...

@Neustradamus
Copy link

2 years ago, big warning!

@timothygwebb
Copy link
Collaborator

timothygwebb commented Jul 2, 2020 via email

@JamieSlome
Copy link
Contributor

@timothygwebb - we have received a fix through https://huntr.dev which we are currently reviewing. We will look to merge a fix in the next week or so (418sec#1).

Cheers! 🍰

@huntr-helper
Copy link
Contributor

‎‍🛠️ A fix has been provided for this issue. Please reference: 418sec#1

🔥 This fix has been provided through the https://huntr.dev/ bug bounty platform.

@Neustradamus
Copy link

@evrifaessa evrifaessa added the security For bugs/exploits involving security. label Nov 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security For bugs/exploits involving security.
Projects
None yet
Development

No branches or pull requests

6 participants